Payload-checksum in PEM?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Payload-checksum in PEM?

etc@coderhacks.com
Hi!

I have a verification-error in a SMIME-message and I try to check
manually the checksums of the payload.

Here is my strategy - but I do not know it is even possible.


# openssl cms -sign -in myfile.txt -md md5 -signer cer.txt -inkey
key.txt -outform PEM > pem.txt

# md5sum myfile.txt

Can I expect to find the md5sum checksum somewhere in the ASN1 of pem.txt???

# openssl asn1parse -in pem.txt

As far I see it is not there - but maybe it is just a quick step to it?

Thanks for help!
Chris
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Payload-checksum in PEM?

Viktor Dukhovni


> On Mar 8, 2018, at 11:25 AM, [hidden email] wrote:
>
> # openssl cms -sign -in myfile.txt -md md5 -signer cer.txt -inkey key.txt -outform PEM > pem.txt
>
> # md5sum myfile.txt
>
> Can I expect to find the md5sum checksum somewhere in the ASN1 of pem.txt???
>
> # openssl asn1parse -in pem.txt
>
> As far I see it is not there - but maybe it is just a quick step to it?

When signing, the checksum is part of the signature, so you'd have to
decrypt the signature block with the signer's public key via:

        openssl rsautl -pubin -raw -encrypt -inkey pubkey.pem

and find the message digest there.

--
        Viktor.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Payload-checksum in PEM?

etc@coderhacks.com
Thanks for your help!

But I am not sure I do fully understand that - not doing that every day.
Please one more hint - thanks.

I have a certificate (cer.txt; content is enclosed with ---BEGIN/END
CERTIFICATE---).
I can get the public-key out of that. (pubkey.txt; content is enclosed
---BEGIN/END PUBLIC KEY---).
I have the PEM (pem.txt; content is enclosed with ---BEGIN/END CMS---).
This is what I call the signature and I would expect to have a hash of
my original file somewhere inside of it.

If I do

openssl rsautl -pubin -raw -encrypt -inkey pubkey.txt -in pem.txt

I get an error (...rsa routines:RSA_padding_add_none:data too large for
key size...).

Am I doing something wrong or do I have the wrong ingredients?

I try to find the hashvalue that any other tool gives me when hashing
the original payload (myfile.txt).

Thanks
Chris






On 2018-03-08 17:31, Viktor Dukhovni wrote:

>
>> On Mar 8, 2018, at 11:25 AM, [hidden email] wrote:
>>
>> # openssl cms -sign -in myfile.txt -md md5 -signer cer.txt -inkey key.txt -outform PEM > pem.txt
>>
>> # md5sum myfile.txt
>>
>> Can I expect to find the md5sum checksum somewhere in the ASN1 of pem.txt???
>>
>> # openssl asn1parse -in pem.txt
>>
>> As far I see it is not there - but maybe it is just a quick step to it?
> When signing, the checksum is part of the signature, so you'd have to
> decrypt the signature block with the signer's public key via:
>
> openssl rsautl -pubin -raw -encrypt -inkey pubkey.pem
>
> and find the message digest there.
>

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Payload-checksum in PEM?

Viktor Dukhovni


> On Mar 8, 2018, at 11:52 AM, [hidden email] wrote:
>
> I have a certificate (cer.txt; content is enclosed with ---BEGIN/END CERTIFICATE---).
> I can get the public-key out of that. (pubkey.txt; content is enclosed ---BEGIN/END PUBLIC KEY---).
> I have the PEM (pem.txt; content is enclosed with ---BEGIN/END CMS---).

That's a CMS message, it may contains a signature, but it is not (just) a signature.

> This is what I call the signature and I would expect to have a hash of my original file somewhere inside of it.

See above.

> If I do
>
> openssl rsautl -pubin -raw -encrypt -inkey pubkey.txt -in pem.txt

The raw RSA signed payload is not textual PEM data, it is a binary element of
the CMS structure (when the structure contains a signature).

--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users